发表新帖
发表新帖

kvm: module verification failed: signature and/or required key missing - tainting kernel

前端 未结
关注
4 818
谎友^
谎友^ 2020-12-06 04:35

I\'m using Ubuntu 14.04 LTS and kernel version 3.13.11.4.
I\'m trying to load patched KVM modules kvm and kvm-intel

相关标签:
4条回答
  • 不思量自难忘°
    2020-12-06 05:05

    Go to the kernel source directory and do (for e.g):

    ./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko

    for kernel 4.4.*, keys location should be as follows:

    ./scripts/sign-file sha512 ./certs/signing_key.pem ./certs/signing_key.x509 path/to/your/kernel/module.ko

    Check what is the digest algorithm your kernel is using by opening .config and reading it in CONFIG_MODULE_SIG config values.

    CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512"
    0 讨论(0)
  • 独厮守ぢ
    2020-12-06 05:08

    Instead of re-configuring the kernel, this error (module verification failed) could be resolved by just adding one line CONFIG_MODULE_SIG=n to the top of the Makefile for the module itself:

    CONFIG_MODULE_SIG=n

# If KERNELRELEASE is defined, we've been invoked from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
    obj-m := hello.o

# Otherwise we were called directly from the command
# line; invoke the kernel build system.
else
    KERNELDIR ?= /lib/modules/$(shell uname -r)/build
    PWD := $(shell pwd)

default:
    $(MAKE) -C $(KERNELDIR) M=$(PWD) modules
endif
    0 讨论(0)
  • 一个人的身影
    2020-12-06 05:09

    It seems like the vendor of your system has enabled kernel module signature verification on your kernel which means it won't load any module that the vendor hasn't signed. In other words, your patched module isn't signed (properly) and the kernel will refuse to load it.

    The point of this is supposed to prevent malware and rootkits from loading malicious kernel modules.

    I suggest you contact your vendor. There may be an option somewhere on your platform to disable signature checking. Otherwise, your vendor may be able to sign the module for you. You might even have the key and the details of the signature verification algorithm and can sign it yourself.

    Without knowing what platform you're running on, it's hard to give more specific suggestions.

    0 讨论(0)
  • 悲哀的现实
    2020-12-06 05:11

    In general, if you are building a custom kernel and using make oldconfig. This copies the exiting config-* file from /boot. Now a days most of the kernel modules required to be signed by the linux vendor. So edit the .config and disable CONFIG_MODULE_SIG_ALL and CONFIG_MODULE_SIG, before compiling the kernel.

    CONFIG_MODULE_SIG=n
CONFIG_MODULE_SIG_ALL=n
# CONFIG_MODULE_SIG_FORCE is not set 
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
    0 讨论(0)
 看不清?
提交回复
热议问题